参考:https://www.cnblogs.com/marility/p/9392645.html
1,安装环境及软件版本
程序 | 版本 | 安装方式 |
elasticsearch | 6.3.1 | rpm |
kibana | 6.3.1 | rpm |
java | 1.8.0 | tar |
2,search guard安装
2.1在elasticsearch安装
cd /usr/share/elasticsearch/bin/
./elasticsearch-plugin install com.floragunn:search-guard-6:6.3.1-24.0
安装的版本查看
查看
进行demo模式安装
cd /usr/share/elasticsearch/plugins/search-guard-6/tools
bash install_demo_configuration.sh
安说明输入3个y确认
重启elasticsearch
systemctl restart elasticsearch
web访问测试安装是否成功
https://172.16.20.12:9200/_searchguard/authinfo
注意是https而不是http
输入默认用户名和密码admin
打印admin的json格式则代表安装成功
此时打开kibana出现输入用户名密码提示但是无法输入
2.2在kibana安装
首先停止kibana
systemctl stop kibana
PS:如果不停止kibana直接安装,启动会报错 报错日志 /var/log/meaasge
如果启动报错了,可以删除kibana插件重新安装
./kibana-plugin remove searchguard
cd /usr/share/kibana/bin/
./kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.3.1-14-beta-1/search-guard-kibana-plugin-6.3.1-14-beta-1.zip
需要安装版本查看
修改kibana配置文件 /etc/kibana/kibana.yml
server.port: 5601
server.host: "172.16.20.12"
#server.host: "0.0.0.0"
server.name: "test-es-kibana"
elasticsearch.url: "https://172.16.20.12:9200"
kibana.index: ".kibana"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
xpack.security.enabled: false
PS:elasticsearch配置为https
启动kibana通过5601端口访问,输入用户名和密码均为admin
左侧菜单栏出现search guard代表安装成功
PS:版本6.5.4配置kibana后启动报错
Browserslist: caniuse-lite is outdated. Please run next command `npm update caniuse-lite browserslis
原因为node版本低4版本,升级为8版本重启kibana即可
添加只读用户guest
使用用户guest登录只能读无法编辑
配置logstash输入至elasticsearch
/etc/logstash/conf.d/logstash.conf
input {
stdin{}
} output {
elasticsearch {
hosts => [ "172.16.20.12:9200" ]
ssl => true
ssl_certificate_verification => false
user => admin
password => admin
index => "logstash_%{+YYYY.MM.dd}"
} stdout {
codec => rubydebug
}
}
PS:测试标准输出至elasticsearch并输出至屏幕
需要增加这两个配置 否则启动报错
ssl => true
ssl_certificate_verification => false
启动
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf
以上为自动生成证书,下面使用在线生成证书安装search guard
在线生成证书,https://search-guard.com/tls-certificate-generator/
登录刚刚输入的邮箱下载证书,上传至服务器的文件夹/tmp解压缩并把解压后的所有文件放置在文件夹/etc/elsaticsearch/key
cd /tmp
rz
tar -xf search-guard-certificates-8d1c8141-5f8b-4932-b7e2-a7109c400330.tar.gz.tar
cd /tmp/search-guard-certificates
mv * /etc/elasticsearch/key/
证书文件目录结构如下
[root@prd-elk-logstash-02 key]# tree
.
├── chain-ca.pem
├── client-certificates
│ ├── CN=demouser.all.pem
│ ├── CN=demouser.crtfull.pem
│ ├── CN=demouser.crt.pem
│ ├── CN=demouser.csr
│ ├── CN=demouser.key.pem
│ ├── CN=demouser.key.pkcs12
│ ├── CN=demouser-keystore.jks
│ ├── CN=demouser-keystore.p12
│ ├── CN=demouser-signed.pem
│ ├── CN=sgadmin.all.pem
│ ├── CN=sgadmin.crtfull.pem
│ ├── CN=sgadmin.crt.pem
│ ├── CN=sgadmin.csr
│ ├── CN=sgadmin.key.pem
│ ├── CN=sgadmin.key.pkcs12
│ ├── CN=sgadmin-keystore.jks
│ ├── CN=sgadmin-keystore.p12
│ └── CN=sgadmin-signed.pem
├── node-certificates
│ ├── CN=IP-172.16.90.24.crtfull.pem
│ ├── CN=IP-172.16.90.24.csr
│ ├── CN=IP-172.16.90.24.key.pem
│ ├── CN=IP-172.16.90.24.key.pkcs12
│ ├── CN=IP-172.16.90.24-keystore.jks
│ ├── CN=IP-172.16.90.24-keystore.p12
│ └── CN=IP-172.16.90.24-signed.pem
├── README.txt
├── root-ca
│ ├── root-ca.crt
│ ├── root-ca.key
│ └── root-ca.pem
├── root-ca.pem
├── signing-ca
│ ├── signing-ca.crt
│ ├── signing-ca.key
│ └── signing-ca.pem
├── truststore.jks
└── truststore.p12 4 directories, 36 files
安装elsticsearch 插件
cd /usr/share/elasticsearch/bin/
./elasticsearch-plugin install com.floragunn:search-guard-6:6.5.4-24.2
以上为在线下载安装,也可以下载好文件使用以下命令安装
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///nas/nas/softs/elk/6.6.2/search-guard-6-6.6.2-24.2.zip
安装版本查看
配置elasticsearch支持search gurad
配置文件/etc/elasticsearch/elasticsearch.yml
cluster.name: hopesz-es
node.name: prd-elk-logstash-02
path.data: /data/es-data
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
#集群个节点IP地址,也可以使用els、els.shuaiguoxia.com等名称,需要各节点能够解析
#discovery.zen.ping.unicast.hosts: ["172.16.90.24", "172.16.30.55"]
#集群节点数
#discovery.zen.minimum_master_nodes: 2
http.cors.enabled: true
http.cors.allow-origin: "*" #search guard配置开始
#证书可以在key目录下找到
searchguard.ssl.transport.pemcert_filepath: key/node-certificates/CN=IP-172.16.90.24.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: key/node-certificates/CN=IP-172.16.90.24.key.pem
#密码可以在key下README.txt找到
searchguard.ssl.transport.pemkey_password: 5ea2206b9b1e041bf052
searchguard.ssl.transport.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: key/node-certificates/CN=IP-172.16.90.24.crtfull.pem
searchguard.ssl.http.pemkey_filepath: key/node-certificates/CN=IP-172.16.90.24.key.pem
searchguard.ssl.http.pemkey_password: 5ea2206b9b1e041bf052
searchguard.ssl.http.pemtrustedcas_filepath: key/chain-ca.pem
searchguard.authcz.admin_dn:
- CN=sgadmin
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
xpack.security.enabled: false
#search guard配置结束
重启elasticsearch报错
首先检查文件是否存在,如存在则设置权限组为elasticsearch
chown -R elasticsearch.elasticsearch key/
启动报错
原因:有志气demo安装的证书需要删除 路径为/etc/elasticsearch
rm -rf kirk-key.pem
rm -rf kirk.pem
rm -rf esnode.pem
rm -rf esnode-key.pem
rm -rf root-ca.pem
验证是否安装成功,web页面访问输入用户名密码admin admin
https://172.16.90.24:9200/_searchguard/authinfo
设置权限因子
权限因子密码也可以在README.txt找到
cd /etc/elasticsearch/key/
cp root-ca.pem client-certificates/CN\=sgadmin.key.pem client-certificates/CN\=sgadmin.crtfull.pem /usr/share/elasticsearch/plugins/search-guard-6/tools/
cd /usr/share/elasticsearch/plugins/search-guard-6/tools/
./sgadmin.sh -cacert root-ca.pem -cert CN=sgadmin.crtfull.pem -key CN=sgadmin.key.pem -keypass a756a037271c299fe817 -nhnv -icl -cd ../sgconfig/ -nhnv -icl -cd ../sgconfig/
执行如果报错
修改elaticsearch.yml
network.host: 0.0.0.0
初始化搜索保护配置
cd /etc/elasticsearch/key/
cp truststore.jks /usr/share/elasticsearch/plugins/search-guard-6/tools/
cp client-certificates/CN\=sgadmin-keystore.jks /usr/share/elasticsearch/plugins/search-guard-6/tools/
cd /usr/share/elasticsearch/plugins/search-guard-6/tools/
./sgadmin.sh -ts truststore.jks -tspass e0c2b67ecfc6dad6bc42 -ks CN=sgadmin-keystore.jks -kspass 4abdecb00e4d4891761a -nhnv -icl -cd ../sgconfig/
安装kibana控件(需要先停止kibana)
cd /usr/share/kibana/bin/
./kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.5.4-18/search-guard-kibana-plugin-6.5.4-18.zip
安装版本查看
修改kibana配置文件
server.port: 5601
server.host: "172.16.90.24"
server.name: "prd-elk-logstash-02"
#配置为https
elasticsearch.url: "https://172.16.90.24:9200"
kibana.index: ".kibana"
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.ssl.verificationMode: none
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]
xpack.monitoring.enabled: false
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.watcher.enabled: false
xpack.security.enabled: false
启动kibana web页面访问需要输入用户名密码admim即可
配置logstash访问,不同于demo安装的配置需要在logstash配置文件配置如下配置output
output{
if "nginx-prod-log" in [type] {
elasticsearch{
hosts => ["172.16.90.24:9200"]
index => "nginx-prod-log-%{+YYYY.MM}"
ssl => true
ssl_certificate_verification => true
truststore => "/etc/elasticsearch/key/truststore.jks"
truststore_password => "cad3511c129704894bfc"
user => "admin"
password => "admin"
}
#stdout{
# codec => rubydebug
#}
}
增加以下配置
PS:truststore密码同样在README.txt可以找到
truststore密码需要引号 用户名和密码也需要加引号 否则无法启动logstash
用户名和密码没有加引号报错信息为 ConfigurationError